ワンクリックで
aws-org-strategy
Multi-account and OU strategy, landing zone patterns, and workload placement
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Multi-account and OU strategy, landing zone patterns, and workload placement
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
**AWS Coworker Development Guardrails** - MANDATORY when extending or modifying AWS Coworker itself. TRIGGERS (use this skill when ANY of these apply): - User asks to add new skills, agents, or commands to AWS Coworker - User asks to modify existing AWS Coworker components - User asks about AWS Coworker architecture or design - User wants to add support for new AWS services - Discussion involves directory structure or file organization - User mentions "extending", "customizing", or "adding to" AWS Coworker - Creating or modifying files in: skills/, .claude/agents/, .claude/commands/, config/ NOT for: Using AWS Coworker to interact with AWS (that's CLAUDE.md's domain)
Canonical AWS CLI patterns for discover, plan, deploy, validate, and rollback
AWS Well-Architected Framework alignment for planning and review
Organization governance policies - never do, always do, and compliance rules
Git and GitHub best practices for AWS Coworker change management
Cost-aware AWS interaction and optimization patterns
| name | aws-org-strategy |
| description | Multi-account and OU strategy, landing zone patterns, and workload placement |
| version | 1.0.0 |
| category | org |
| agents | ["aws-coworker-core","aws-coworker-planner","aws-coworker-guardrail"] |
| tools | ["Read"] |
This skill captures organizational AWS multi-account strategy, OU structure, landing zone patterns, and workload placement rules. Customize this skill to reflect your organization's specific AWS structure.
This skill supports multiple organizational patterns. Configure based on your setup:
┌─────────────────────────────────────┐
│ Single Account │
│ ┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐ │
│ │ Dev │ │ Stg │ │ Prd │ │ Sec │ │
│ │ VPC │ │ VPC │ │ VPC │ │ VPC │ │
│ └─────┘ └─────┘ └─────┘ └─────┘ │
└─────────────────────────────────────┘
When to use: Small teams, limited workloads, getting started
┌─────────────────────────────────────────────────────┐
│ AWS Organizations │
├─────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ │
│ │Management│ (Billing, Organizations) │
│ └──────────┘ │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Security │ │ Dev │ │ Prod │ │
│ │ Account │ │ Account │ │ Account │ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ │
└─────────────────────────────────────────────────────┘
When to use: Growing teams, need workload isolation
┌──────────────────────────────────────────────────────────────────┐
│ AWS Organizations │
├──────────────────────────────────────────────────────────────────┤
│ Management Account │
├──────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Security OU │ │ Infrastructure │ │ Workloads OU │ │
│ │ │ │ OU │ │ │ │
│ │ ┌───────────┐ │ │ ┌───────────┐ │ │ ┌─────────────┐ │ │
│ │ │ Audit │ │ │ │ Shared │ │ │ │ Non-Prod OU │ │ │
│ │ │ Account │ │ │ │ Services │ │ │ │ ┌─────────┐ │ │ │
│ │ └───────────┘ │ │ │ Account │ │ │ │ │ Dev │ │ │ │
│ │ ┌───────────┐ │ │ └───────────┘ │ │ │ └─────────┘ │ │ │
│ │ │Log Archive│ │ │ ┌───────────┐ │ │ │ ┌─────────┐ │ │ │
│ │ │ Account │ │ │ │ Network │ │ │ │ │ Staging │ │ │ │
│ │ └───────────┘ │ │ │ Hub │ │ │ │ └─────────┘ │ │ │
│ │ │ │ └───────────┘ │ │ └─────────────┘ │ │
│ │ │ │ │ │ ┌─────────────┐ │ │
│ │ │ │ │ │ │ Prod OU │ │ │
│ │ │ │ │ │ │ ┌─────────┐ │ │ │
│ │ │ │ │ │ │ │ Prod │ │ │ │
│ │ │ │ │ │ │ └─────────┘ │ │ │
│ │ │ │ │ │ └─────────────┘ │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
│ ┌─────────────────┐ │
│ │ Sandbox OU │ │
│ │ ┌───────────┐ │ │
│ │ │ Sandbox │ │ │
│ │ │ Accounts │ │ │
│ │ └───────────┘ │ │
│ └─────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────┘
When to use: Enterprise, compliance requirements, team isolation
Extends Pattern 3 with:
- Automated account provisioning
- Guardrails (preventive and detective)
- Account Factory
- Centralized logging and audit
Purpose: AWS Organizations management, consolidated billing
Contains:
Rules:
Purpose: Centralized security tooling and audit
Contains:
Rules:
Purpose: Immutable log storage
Contains:
Rules:
Purpose: Shared infrastructure services
Contains:
Rules:
Purpose: Application workloads
Types:
Rules:
Purpose: Experimentation and learning
Contains:
Rules:
// Example: Deny leaving organization
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLeaveOrganization",
"Effect": "Deny",
"Action": "organizations:LeaveOrganization",
"Resource": "*"
}
]
}
// Example: Require IMDSv2 for EC2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireIMDSv2",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"ec2:MetadataHttpTokens": "required"
}
}
}
]
}
// Example: Restrict regions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyOtherRegions",
"Effect": "Deny",
"NotAction": [
"iam:*",
"organizations:*",
"support:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2",
"eu-west-1"
]
}
}
}
]
}
| Workload Type | Account Type | OU |
|---|---|---|
| Production app | Prod workload | Production OU |
| Pre-prod testing | Staging workload | Non-Production OU |
| Development | Dev workload | Non-Production OU |
| Security tools | Security | Security OU |
| Shared networking | Shared services | Infrastructure OU |
| Experiments | Sandbox | Sandbox OU |
1. What environment? → Determines OU
2. What team owns it? → May determine specific account
3. What compliance needs? → May require dedicated account
4. What network connectivity? → Determines VPC placement
5. What data classification? → Determines security controls
┌─────────────────┐
│ Transit Gateway │
│ (Shared Svcs) │
└────────┬────────┘
│
┌───────────────────┼───────────────────┐
│ │ │
┌────┴────┐ ┌────┴────┐ ┌────┴────┐
│ Dev VPC │ │ Stg VPC │ │ Prd VPC │
│ Account │ │ Account │ │ Account │
└─────────┘ └─────────┘ └─────────┘
Shared VPC Account
├── Shared-Prod-VPC
│ ├── Private-Subnet-App-A (shared to Account A)
│ ├── Private-Subnet-App-B (shared to Account B)
│ └── Private-Subnet-Shared (shared to all)
└── Shared-Dev-VPC
└── ...
## CIDR Allocation Plan
### Primary Region (us-east-1)
| Environment | CIDR | Notes |
|-------------|------|-------|
| Production | 10.0.0.0/16 | 65,536 IPs |
| Staging | 10.10.0.0/16 | 65,536 IPs |
| Development | 10.20.0.0/16 | 65,536 IPs |
| Shared Services | 10.100.0.0/16 | 65,536 IPs |
| Sandbox | 10.200.0.0/16 | 65,536 IPs |
### Secondary Region (us-west-2)
| Environment | CIDR | Notes |
|-------------|------|-------|
| Production DR | 10.1.0.0/16 | DR site |
### Reserved
| Range | Purpose |
|-------|---------|
| 10.50.0.0/16 - 10.99.0.0/16 | Future expansion |
| 172.16.0.0/12 | On-premises |
## New Account Request
### Basic Information
- [ ] Account name (following naming convention)
- [ ] Environment type (dev/staging/prod/sandbox)
- [ ] Owner team
- [ ] Cost center
### Technical Requirements
- [ ] Required regions
- [ ] Network connectivity needs
- [ ] Compliance requirements
- [ ] Data classification
### Access Requirements
- [ ] Team roles needed
- [ ] Service roles needed
- [ ] Break-glass access plan
### Budget
- [ ] Monthly budget estimate
- [ ] Budget alerts configuration
1. Create account via Organizations/Account Factory
2. Configure SSO access
3. Apply baseline SCPs
4. Deploy baseline CloudFormation/CDK
- VPC and networking
- IAM roles
- CloudTrail
- Config
- GuardDuty membership
5. Configure budgets and alerts
6. Add to monitoring
7. Document in account registry
To customize this skill for your organization:
Store organization-specific details in:
templates/single-account.mdtemplates/multi-account-basic.mdtemplates/multi-account-control-tower.mdaws-governance-guardrails — Policy enforcementaws-cli-playbook — Organizations CLI commandsaws-well-architected — Architectural guidance